In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. If you want to reassociate the identity store for Oracle IRM with an external LDAP authentication provider, it is easier to do this before you complete the configuration of the Oracle IRM Managed Server and before you connect it to the Oracle Universal Content Management (Oracle UCM) repository. For more information, see Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider."

6.1.1 Setting the Server URL Configuration Parameter for Oracle IRM

You can set the Server URL configuration parameter to an Oracle IRM Managed Server on the General Settings page for Oracle IRM in Fusion Middleware Control.

Caution:

The Server URL value is embedded into every sealed document, and Oracle IRM Desktop uses this value to identify and connect to an Oracle IRM server to retrieve licenses. This setting must not be changed after any documents have been sealed using this server, or no one will be able to access the documents.

For a simple installation where the Managed Server is directly accessible to Oracle IRM Desktop, this value will be the URI of the Managed Server. For example:

https://managedServerHost:managedServerPort/irm_desktop

To set the Server URL configuration parameter:

Start Oracle Enterprise Manager 11g Fusion Middleware Control at the following Web site:

http://adminServerHost:adminServerPort/em

For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

From the farm navigation tree in Application Server Control, expand Content Management and Information Rights Management, and then click irm.

From the IRM menu, select Administration and then General Settings.

Fusion Middleware Control displays the General Settings page.

In the Server URL field, enter the URL to access the Oracle IRM Managed Server.

For example:

https://irm.example.com/irm_desktop

On the General Settings page, you can also specify other settings for Oracle IRM.

Click Apply.

6.1.2Configuring a Key Store for Oracle IRM

To configure a key store for Oracle IRM, you need to create the key store and set its location and passwords. Due to algorithm restrictions with certain Java Cryptographic Extension (JCE) security providers, a number of different cryptographic algorithms and types of key stores are supported.

6.1.2.1 Choosing a Cryptographic Algorithm, Key Size, and Key Store

You should choose the most appropriate cryptographic algorithm, key size, and key store for the target platform. For most platforms the Advanced Encryption Standard (AES) key wrapping algorithm should be used. Other platforms require an RSA key wrapping algorithm.

6.1.2.1.1AES Algorithm

With the AES algorithm, the size of the wrapping key can either 256 bits or 128 bits. To seal content using the AES 256 cryptographic schema, you should use a 256 bit wrapping key. To seal content using the AES 128 cryptographic schema, you can use a 128 bit or 256 bit wrapping key. The AES key wrap algorithm is typically faster than the RSA key wrap algorithm.

6.1.2.1.2RSA Algorithm

For installing Oracle IRM on an AIX platform, the only supported key wrapping algorithm with the IBMJCE security provider is RSA. With RSA you should use a 2048 bit key.

6.1.2.2 Creating a Key Store

The Oracle IRM Java EE application uses a cryptographic key to wrap (encrypt) and unwrap (decrypt) Oracle IRM key data stored in the database. This wrapping key must be generated before contexts can be created.

The suggested location for the key store is under the domain home, in the MW_HOME/user_projects/domains/domain_name/config/fmwconfig directory (UNIX system) or MW_HOME\user_projects\domains\domain_name\config\fmwconfig (Windows system). Placing the key store in this location ensures that the key store file is backed up when the domain and corresponding credential store files are backed up.

To create a key store for Oracle IRM:

Run the following script to set the environment.

On a UNIX operating system:

MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh

On a Windows operating system:

MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd

For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib directory (UNIX system) or MW_HOME\wlserver_10.3\server\lib directory (Windows system).

Run the keytool utility to generate an Oracle IRM key store as follows.

For AES, enter the following keytool command (the key size can be either 128 or 256):

6.1.2.3 Setting the Key Store Location

You can set the key store location with either Fusion Middleware Control or WebLogic Scripting Tool (WLST) commands.

6.1.2.3.1 Setting the Key Store Location with Fusion Middleware Control

You can set the key store location on the Oracle IRM General Settings page in Fusion Middleware Control.

To set the key store location with Fusion Middleware Control:

Start Fusion Middleware Control at the following URL:

http://adminServerHost:adminServerPort/em

For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

6.1.2.4 Setting Passwords for the Key Store

You must set passwords for the Oracle IRM key store with WLST commands. When the key store is created, you will be prompted for a key store password and a password for the generated key. These passwords are required by the Oracle IRM server.

In the connect command, substitute the correct values for username and password.

In the createCred command, substitute for password the password that was used for creating the key and keystore.

The "dummy" parameter passed to the createCred command is the user name parameter. The key store does not use a user name, so this value is ignored. This is why the value is set as dummy.

It is normal for the creatCred command to return the text "Already in Domain Runtime Tree". This text does not signify an error.

6.1.3 Configuring One-Way SSL for a Development Environment

For a development environment, you also need to configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around.

To configure one-way SSL for a development environment:

Run the following script to set the environment.

On a UNIX operating system:

MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh

On a Windows operating system:

MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd

For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib directory (UNIX system) or MW_HOME\wlserver_10.3\server\lib directory (Windows system).

Use the CertGen utility to create a server-specific, private key and certificate, as follows:

For hostname, substitute the name of the machine where Oracle IRM is deployed. You should use the same name while accessing Oracle IRM Web services. For example, to generate the server certificate for a machine named myhost.us.example.com, the command would be as follows:

On every machine running Oracle IRM Desktop, in the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.

Click Next, and then follow the instructions on the wizard screens.

Set Up a Custom Identity Keystore and Trust Store:

Log in to the Oracle WebLogic Server Administration Console, at the following URL:

http://adminServerHost:adminServerPort/console

For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

6.2 Accessing the Oracle IRM Management Console

When the Oracle IRM Managed Server is running, the Oracle IRM application is deployed and ready to be accessed through the Oracle IRM Management Console:

https://managedServerHost:managedServerPort/irm_rights

6.3 Configuring SSL for Oracle IRM

Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Oracle IRM Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated. Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.